1. You feel like you’re spending more than you should on controls and corporate compliance, yet you’re getting less value than you’d like for the money you’re spending.

2. You’re concerned about risk, but have no automated way to identify and monitor your key risk areas.

Within your auditing:

3. You’re spending the majority of your time on compliance-related tasks, rather than focusing on emerging risks and ways you can add value to finance and business managers.

4. You rely primarily on manual auditing and sampling to ensure that corporate controls are effective.

In your IT area:

5. You spend more time than you would like with auditors.

6. Managing who has access to applications is seen as your problem by business users.

We understand that their goal is to use controls to help protect against the varied risks of financial operations within your organization. From boardrooms to cubicles to loading docks, we need to make a place for the work of control freaks today.

Join the cause; subscribe today.

This blog is all about sharing our passion for continuous controls monitoring (CCM).

It’s a term often associated with “control freaks”—and that’s okay. We know it’s a rare breed that can take on the duties of monitoring financial anomalies for the good of an organization or business.

So this is your place. It’s where like-minded control freaks can share best practices and current trends. We’ll discuss corporate compliance, segregation of duties, continuous auditing, and mix in some acronyms like FISMA—the Federal Information Security Management Act.

We’re also here for all those “on the outside” who need to understand and work with Control Freaks. We’ll offer tips and tactics to keep things productive. And just maybe you’ll join our ranks!

Join the cause; subscribe today.

We’d seen the many articles and read a serious amount of analysis, but it didn’t seem so real until the real estate deal. 

Anyway, as we’ve discussed, the whistle-blower provisions of Dodd-Frank are a pretty big deal, and if your business hasn’t thought of how’ll you’ll adapt, well, now’s the time. 

Fortunately for you, we’ve written a good bit on this, so at least you’ve got somewhere to start. The good news? Companies with a firm handle on internal controls can make a great case for employees that concerns should remain internal.

The other good news?  If you don’t have such a great handle on the internal controls thing, we can help with that.

And then there are cases like this one.  Maxim Healthcare, which had at one point nearly two BILLION dollars in federal contracts for its home health aides and nurses, has admitted to $61 million worth of federal fraud and agreed to pay civil and criminal penalties totaling $150 million. 

Not that it’s a great scenario to have one lone greedy employee who’s pilfering without attracting notice.  But it’s an order of magnitude worse when DOJ investigations (spurred by a whistleblower complaint) reveal widespread instances of false billing, across multiple states. 

We talk a lot about the impossibility of legislating ethics, and how all the technology in the world can’t make people behave well.  This is a pretty bright example of just what can go wrong when a business operates without an appropriate respect for the governance and compliance concerns that should have been forefront in the minds of those in charge.  Sheesh.

It seems that – at least according to the Corporate Fraud Index – fraud-related reports account for more than 20% of all compliance reporting activity.  This is the highest it’s been since the CFI was created in 2005.  Total incidents of reported fraud were also up, nearly 18 percent. 

So what’s this all mean? In our post-SOX world, employees are apparently hearing just as much as they should that fraud is not something to be ignored or smoothed over.  That’s got to be good news.
 
But since this index only started tracking fraud reporting in 2005, and we’ve had all kinds of developments since then – an economic meltdown, near-implosions of the financial sector and Dodd-Frank, just to name a few – it’s hard to tell what that increase in reporting really tells us.  Are more people aware of fraud, doing their jobs with an eye toward preventing it, and reporting suspicious activities?

Or is there an increase in fraud itself, and reporting is starting to reflect how widespread it is?

What do you think?  That’s what the comments are for . . .

The cause? Zynga says it found a material weakness in internal controls over financial reporting. Kind of a big deal when you’re working to convince the whole investing world just how valuable your company is.

The restatement was a big one, bringing first-quarter profit figures from nearly $17 million down to just below $12 million.

Zynga says in its latest filing that it believes changes to its accounting policy have since fixed the identified weakness, and we’ll admit that they’re at least talking a good game on this one:

“If we are unable to maintain adequate internal controls for financial reporting in the future, or if our auditors are unable to express an opinion as to the effectiveness of our internal controls…investor confidence in the accuracy of our financial reports may be impacted or the market price of our Class A common stock could be negatively impacted.”

Not to beat a dead horse here, but we’ve heard shareholders (and would-be investors) really like when businesses can demonstrate robust internal controls – and real-time processes for monitoring them.

Adding insult to the injury of an employee who’s stealing from your customer base? A $500k fine for the company for failing to detect the fraud.

Reading the details doesn’t make the case any better. Apparently, the thief was able to continue a pattern of theft despite exception reports raising flags about new accounts she managed – and similar red flags on suspicious cross-account transfers she conducted.

We’ve said it before, and we’ll say it again. All the controls in the world don’t – can’t – do much good unless there are accompanied by capabilities for addressing exceptions. That’s why we’re such fans (okay, and innovators) of Continuous Controls Monitoring solutions, which let businesses address and mitigate exceptions within a closed-loop system. It’s much more than an acronym – it’s a way go from identifying risks to fixing them before they cost you and your customers.

Nope, not bankruptcy (this time – good guess, though). We’re talking DOJ (Department of Justice for those of you who haven’t had the pleasure) and SEC enforcement of FCPA violations. FCPA has been around longer than many of us at Approva, but it’s only in recent years that its real power has been realized, through an influx of funding and manpower behind enforcement efforts.

Corporate Compliance Insights has a bit of a primer on the last few years of FCPA enforcement, penned by some lawyers who seem to have been around the FCPA block. We were surprised to read that in 2010, fines for FCPA-related violations topped a billion dollars.

What this means for companies doing business overseas – and that’s a lot of them – is that FCPA needs to be a serious component of your risk strategy. You’re going to want to get your FCPA house in order, and fast. Want some tips? We’ve got a post for that.

Well, Michael Volkov has a great post that expands on that message in pretty persuasive detail. As he explains, there’s no shortage of regulations for companies doing business internationally – from OFAC to FCPA to AML, there are as many acronyms as there are civil penalties for breaking the rules.
What’s this mean for business? That a single bad call – like failing to check out a vendor or shipping something to the wrong person – can violate multiple statutes. That’s scary – and expensive.

Which is where convergence becomes so important. As Michael sums up Open Air’s Howard Sklar:

“It is critical for a company to weave the most common U.S. regulations of exports and international conduct into a common compliance mosaic – focusing on the key requirements of regulations, including the FCPA, the export-control and sanctions laws and the anti-boycott laws.”

We couldn’t have said it better ourselves.